Cybersecurity researchers have uncovered a new wave of callback phishing attacks abusing Shop, Shopify’s widely used order-tracking application. Threat actors are injecting fraudulent purchase receipts directly into users’ order histories, making scams appear more legitimate by blending them with real transactions from trusted retailers.
The Shop app is a popular digital assistant used by tens of millions of users across North America to track shipments, view receipts, and manage purchases from Shopify-powered merchants. Its legitimacy and convenience make it an attractive target for scammers seeking to exploit user trust at scale.
According to researchers at Gen Digital, attackers are inserting fake invoices impersonating major brands such as Apple, PayPal, Norton, and McAfee. Each fraudulent receipt includes a phone number for “support,” which victims are encouraged to call to dispute the charge. On the other end, scammers pose as customer service agents and use social engineering tactics to extract sensitive information such as login credentials, payment details, and one-time passcodes.
In some cases, victims are further manipulated into installing remote access software, giving attackers full control over their devices. Researchers note that embedding scams directly inside the Shop app makes the scheme more effective than traditional email-based phishing, since users are more likely to trust notifications appearing within a legitimate commerce platform.
While some of the fake receipts contain obvious red flags such as poor grammar, users may overlook these inconsistencies when confronted with high-value “charges.” The exact method used to inject fraudulent orders remains unclear, though Shop can aggregate data from multiple sources including email parsing and merchant integrations.
Investigators emphasize that there is currently no evidence that Shopify or the Shop app itself has been compromised. Until the situation is clarified, users are advised to avoid calling phone numbers listed in suspicious receipts and instead verify any unexpected charges directly with their bank. Anyone who has already engaged with scammers should reset credentials immediately and contact their financial institution.
